'My Friend Cayla' Doll Being Hacked, Used for Espionage-Truth! & Disputed!

‘My Friend Cayla’ Doll Being Hacked, Used for Espionage-Truth! & Disputed!

Summary of eRumor:
A doll called “My Friend Cayla” contains a connected bluetooth listening device that is being used to spy on children and record their conversations.
The Truth:
The maker of the “My Friend Cayla” doll and other “smart” kids’ toys faces allegations that its toys illegally record children’s interactions and send information back to the manufacturer over the internet without permission from the children’s parents.
Warnings about the My Friend Cayla doll recording private conversations surfaced after Germany’s Federal Network Agency issued a notice on February 17, 2017, that parents should voluntarily destroy the toy over concerns that they have secret listening devices:

It is precisely from toys as espionage devices that dangers arise: Without the knowledge of the parents, the conversations of the child and other persons can be recorded and forwarded. Through the toy, a company could also address the child or the parents individually with advertising. Furthermore, a toy, if the radio link (like bluetooth) is not adequately protected by the manufacturer, can be used unnoticed by nearby parties to listen to conversations.

The consumer warning notes that similar “smart” toys that can make secret recordings have already been taken off the market in Germany, but it didn’t indicate that similar action was immediately being taken against the My Friend Cayla doll.
But this isn’t the first time the My Friend Cayla doll has found herself in hot water. A complaint against the My Friend Cayla’s manufacturer, Genesis Toys, was filed with the Federal Trade Commission (FTC) in the U.S. in December 2016:

This complaint concerns toys that spy. By purpose and design, these toys record and collect the private conversations of young children without any limitations on collection, use, or disclosure of this personal information. The toys subject young children to ongoing surveillance and are deployed in homes across the United States without any meaningful data protection standards. They pose an imminent and immediate threat to the safety and security of children in the United States.

As set forth in detail below, certain business practices by toy manufacturer Genesis Toys and speech recognition technology provider Nuance Communications violate both specific children’s privacy and general consumer protections in the United States. Both Genesis Toys and Nuance Communications unfairly and deceptively collect, use, and disclose audio files of children’s voices without providing adequate notice or obtaining verified parental consent in violation of the Children’s Online Privacy Protection Act (“COPPA”), the COPPA Rule, and Section 5 of the Federal Trade Commission Act. It is incumbent upon the Federal Trade Commission (“FTC” or “Commission”) to take action in this matter, and to enjoin Genesis Toys and Nuance Communications from such unlawful activities.

The complaint continues that Genesis manufactures the physical My Friend Cayla and i-Que dolls and develops applications for them that are available through Google Play and the iTunes store.

Genesis manufactures the physical Cayla and i-Que dolls and develops and provides the companion applications, available from the Google Play and iTunes app stores.2 And, the complaint alleges, the privacy issues lie in these applications that are then installed into the “smart” toys:

The companion application for My Friend Cayla requests permission to access the hardware, storage, microphone, Wi-Fi connections, and Bluetooth on users’ devices, but fails to disclose to the user the significance of obtaining this permission. The i-Que companion application also requests access to the device camera, which is not necessary to the toy’s functions and is not explained or justified.

After establishing a Bluetooth connection with the Cayla and/or i-Que doll, the mobile application connects the doll to the internet.25 The Cayla and i-Que applications record and collect conversations between the dolls and children. A child’s statements are converted into text, which is then used by the application to retrieve answers using Google Search, Wikipedia and Weather Underground.

In addition to researching and providing factual answers to questions posed by the child, the application also allows the doll to provide appropriate responses to everything the child says, including conversational questions and comments. Cayla and i-Que encourage children to openly converse with the toys, as if chatting with a friend. According to Genesis, “Cayla can understand and respond to you in real-time about almost anything. . . She is not just a doll… she’s a real friend!”

The complaint continues that researchers have discovered that My Friend Cayla is pre-programmed with dozens of phrases that reference Disney World and Disney movies, and that she tells children she loves going to Disney Land and wants to go to Epcot at Disney World — which amounts to deceptive advertising:

This product placement is not disclosed and is difficult for young children to recognize as advertising. Studies show that children have a significantly harder time identifying advertising when it’s not clearly distinguished from programming. Brand placement is particularly hard for children to understand because children focus their attention on the content and utilize “fewer cognitive resources . . . to consciously scrutinize and evaluate placed brands.” Since the product placement is not disclosed, parents who purchase the doll for their children are unaware there is product placement in the conversations.

Researchers also found that data collected from the toy is uploaded and stored in a cloud-based system with an IP address registered in Burlington, Massachusetts,  the same city where software developer Nuance is located:

Researchers found that both Apple and Android apps for Cayla upload data to the same IP address, 205.197.192.116, which is located in Burlington, Massachusetts, the same city where Nuance is headquartered. Geolocation data confirms that IP address 205.197.192.116 belongs to Nuance.43 29. Researchers observed that the data was sent while the app was recording the speech, and the size of the data sent indicated that the files being uploaded were sound files.  The Cayla and i-Que Terms of Service state that Genesis and Nuance use speech data, including audio files and text transcriptions, to enhance and improve products. 

The complaint also states that companies’ terms of service are difficult to access, and that the companies fail to obtain a parent’s permission before transmitting data about the child to the company, amounting to a violation of the Children’s Online Privacy Protection Act (COPPA).

The German distributor of My Friend Cayla, Vivid GMBH, has argued that My Friend Cayla is not an espionage device and will challenge Germany’s recent ban of the doll in court, Sky News reports:

Vivid GmbH said it was taking the allegations about My Friend Cayla “very seriously” and would challenge the sale ban in court.

“She is not an espionage device and can be used safely in every respect according to the user manual,” said the German company in a statement.

So, it’s clear that My Friend Cayla and other smart toys marked by Genesis Toys collects and transmits data about their interactions with children. Whether or not the toy violates U.S. or German laws is currently up in the air. For that reason, we’re calling this one truth and disputed.